|
1
|
|
|
<?php |
|
2
|
|
|
|
|
3
|
|
|
/** |
|
4
|
|
|
* @return bool |
|
5
|
|
|
*/ |
|
6
|
|
|
function protector_prepare() |
|
7
|
|
|
{ |
|
8
|
|
|
// check the access is from install/index.php |
|
9
|
|
|
if (defined('_INSTALL_CHARSET') && !is_writable(XOOPS_ROOT_PATH . '/mainfile.php')) { |
|
10
|
|
|
die('To use installer, remove protector\'s lines from mainfile.php first.'); |
|
|
|
|
|
|
11
|
|
|
} |
|
12
|
|
|
|
|
13
|
|
|
// Protector class |
|
14
|
|
|
require_once dirname(__DIR__) . '/class/protector.php'; |
|
15
|
|
|
|
|
16
|
|
|
// Protector object |
|
17
|
|
|
$protector = Protector::getInstance(); |
|
18
|
|
|
$conf = $protector->getConf(); |
|
19
|
|
|
|
|
20
|
|
|
// phar wrapper deserialization |
|
21
|
|
|
array_walk_recursive($_GET, 'protector_phar_check'); |
|
22
|
|
|
array_walk_recursive($_POST, 'protector_phar_check'); |
|
23
|
|
|
|
|
24
|
|
|
// bandwidth limitation |
|
25
|
|
|
if (@$conf['bwlimit_count'] >= 10) { |
|
26
|
|
|
$bwexpire = $protector->get_bwlimit(); |
|
27
|
|
|
if ($bwexpire > time()) { |
|
28
|
|
|
header('HTTP/1.0 503 Service unavailable'); |
|
29
|
|
|
$protector->call_filter('precommon_bwlimit', 'This website is very busy now. Please try later.'); |
|
30
|
|
|
} |
|
31
|
|
|
} |
|
32
|
|
|
|
|
33
|
|
|
// bad_ips |
|
34
|
|
|
$bad_ips = $protector->get_bad_ips(true); |
|
35
|
|
|
$bad_ip_match = $protector->ip_match($bad_ips); |
|
36
|
|
|
if ($bad_ip_match) { |
|
37
|
|
|
$protector->call_filter('precommon_badip', 'You are registered as BAD_IP by Protector.'); |
|
38
|
|
|
} |
|
39
|
|
|
|
|
40
|
|
|
// global enabled or disabled |
|
41
|
|
|
if (!empty($conf['global_disabled'])) { |
|
42
|
|
|
return true; |
|
43
|
|
|
} |
|
44
|
|
|
|
|
45
|
|
|
// reliable ips |
|
46
|
|
|
$reliable_ips = @unserialize(@$conf['reliable_ips'], array('allowed_classes' => false)); |
|
47
|
|
|
if (!is_array($reliable_ips)) { |
|
48
|
|
|
// for the environment of (buggy core version && magic_quotes_gpc) |
|
49
|
|
|
$reliable_ips = @unserialize(stripslashes(@$conf['reliable_ips']), array('allowed_classes' => false)); |
|
50
|
|
|
if (!is_array($reliable_ips)) { |
|
51
|
|
|
$reliable_ips = array(); |
|
52
|
|
|
} |
|
53
|
|
|
} |
|
54
|
|
|
$is_reliable = false; |
|
55
|
|
|
foreach ($reliable_ips as $reliable_ip) { |
|
56
|
|
|
if (!empty($reliable_ip) && preg_match('/' . $reliable_ip . '/', $_SERVER['REMOTE_ADDR'])) { |
|
57
|
|
|
$is_reliable = true; |
|
58
|
|
|
} |
|
59
|
|
|
} |
|
60
|
|
|
|
|
61
|
|
|
// "DB Layer Trapper" |
|
62
|
|
|
$force_override = strstr(@$_SERVER['REQUEST_URI'], 'protector/admin/index.php?page=advisory') ? true : false; |
|
63
|
|
|
// $force_override = true ; |
|
64
|
|
|
if ($force_override || !empty($conf['enable_dblayertrap'])) { |
|
65
|
|
|
@define('PROTECTOR_ENABLED_ANTI_SQL_INJECTION', 1); |
|
|
|
|
|
|
66
|
|
|
$protector->dblayertrap_init($force_override); |
|
67
|
|
|
} |
|
68
|
|
|
|
|
69
|
|
|
// "Big Umbrella" subset version |
|
70
|
|
|
if (!empty($conf['enable_bigumbrella'])) { |
|
71
|
|
|
@define('PROTECTOR_ENABLED_ANTI_XSS', 1); |
|
72
|
|
|
$protector->bigumbrella_init(); |
|
73
|
|
|
} |
|
74
|
|
|
|
|
75
|
|
|
// force intval variables whose name is *id |
|
76
|
|
|
if (!empty($conf['id_forceintval'])) { |
|
77
|
|
|
$protector->intval_allrequestsendid(); |
|
78
|
|
|
} |
|
79
|
|
|
|
|
80
|
|
|
// eliminate '..' from requests looks like file specifications |
|
81
|
|
|
if (!$is_reliable && !empty($conf['file_dotdot'])) { |
|
82
|
|
|
$protector->eliminate_dotdot(); |
|
83
|
|
|
} |
|
84
|
|
|
|
|
85
|
|
|
// Check uploaded files |
|
86
|
|
|
if (!$is_reliable && !empty($_FILES) && !empty($conf['die_badext']) && !defined('PROTECTOR_SKIP_FILESCHECKER') && !$protector->check_uploaded_files()) { |
|
87
|
|
|
$protector->output_log($protector->last_error_type); |
|
88
|
|
|
$protector->purge(); |
|
89
|
|
|
} |
|
90
|
|
|
|
|
91
|
|
|
// Variables contamination |
|
92
|
|
|
if (!$protector->check_contami_systemglobals()) { |
|
93
|
|
|
if (@$conf['contami_action'] & 4) { |
|
94
|
|
|
if (@$conf['contami_action'] & 8) { |
|
95
|
|
|
$protector->_should_be_banned = true; |
|
96
|
|
|
} else { |
|
97
|
|
|
$protector->_should_be_banned_time0 = true; |
|
98
|
|
|
} |
|
99
|
|
|
$_GET = $_POST = array(); |
|
100
|
|
|
} |
|
101
|
|
|
|
|
102
|
|
|
$protector->output_log($protector->last_error_type); |
|
103
|
|
|
if (@$conf['contami_action'] & 2) { |
|
104
|
|
|
$protector->purge(); |
|
105
|
|
|
} |
|
106
|
|
|
} |
|
107
|
|
|
|
|
108
|
|
|
// prepare for DoS |
|
109
|
|
|
//if ( ! $protector->check_dos_attack_prepare() ) { |
|
110
|
|
|
// $protector->output_log( $protector->last_error_type , 0 , true ) ; |
|
111
|
|
|
//} |
|
112
|
|
|
|
|
113
|
|
|
if (!empty($conf['disable_features'])) { |
|
114
|
|
|
$protector->disable_features(); |
|
115
|
|
|
} |
|
116
|
|
|
return null; |
|
117
|
|
|
} |
|
118
|
|
|
|
|
119
|
|
|
/** |
|
120
|
|
|
* Callback for array_walk_recursive to check for phar wrapper |
|
121
|
|
|
* |
|
122
|
|
|
* @param mixed $item |
|
123
|
|
|
* @param mixed $key |
|
124
|
|
|
* |
|
125
|
|
|
* @return void |
|
126
|
|
|
*/ |
|
127
|
|
|
function protector_phar_check($item, $key) |
|
|
|
|
|
|
128
|
|
|
{ |
|
129
|
|
|
$check = preg_match('#^\s*phar://#', $item); |
|
130
|
|
|
if(1===$check) { |
|
131
|
|
|
$protector = Protector::getInstance(); |
|
132
|
|
|
$protector->message = 'Protector detects attacking actions'; |
|
133
|
|
|
$protector->output_log('PHAR'); |
|
134
|
|
|
$protector->purge(false); |
|
135
|
|
|
} |
|
136
|
|
|
} |
|
137
|
|
|
|
geekwright /
XoopsCore25
Loading history...
In general, usage of exit should be done with care and only when running in a scripting context like a CLI script.